EC urges privacy protections, robust security
The European Commission (EC) has released a contact-tracing application toolbox to help member states develop apps to trace the path of COVID-19, without, it hopes, infringing on the rights of citizens.
In a 44-page guide the EC sets out the requirements that should be met for any contact-tracing application. It should be voluntary, approved by the state’s health authority and in line with personal data privacy laws.
The aim of contact tracing is to enable public health authorities to quickly assess and trace the path of the virus by identifying people who have had contact with an infected individual.
Collected anonymised and aggregated data could allow local authorities to follow infection patterns and make critical containment decisions.
Commissioner for Internal Market Thierry Breton commented: “Contact-tracing apps to limit the spread of coronavirus can be useful, especially as part of member states’ exit strategies.
“However, strong privacy safeguards are a pre-requisite for the uptake of these apps, and therefore their usefulness. While we should be innovative and make the best use of technology in fighting the pandemic, we will not compromise on our values and privacy requirements.”
Crucially – and typically harder to implement – it is required that once the application is no longer needed, it should be dismantled.
The report notes that: “The functionality in such apps – if rolled-out on a large scale so that they reach well over 50 percent of the population – could be useful for Member States to rapidly detect contacts of cases, collect information on these contacts and to inform contacts on the need for follow-up and testing if required.”
The EU toolbox has been developed by the e-Health Network – a voluntary platform for member states – with support from the European Commission.
The guide has privacy concerns as a central point and is advising that applications be built on technology that does not enable the tracking of an individual’s location. One such method suggested is Bluetooth proximity technology, which has already been used by the Singapore Ministry of Health.
Another existing application build using a different approach is Israel’s Hamagen app that uses a device’s GPS data to determine if a user has come into contact with an infected person within the preceding 14 days.
The UK government itself is receiving mobile data from telecommunication providers such as BT. Richard Helson, a former police officer and now head of mobile data specialist Chorus Intelligence UK, told Computer Business Review that it appeared the government would be getting “only the cell tower location… not the physical location of the device,” but that this data would be useful to track larger-scale lockdown compliance.
The toolbox has several guidelines for developers and understanding the scope of the project seems to be squarely in view as they are urged to actively limit the permissions of the application.
When possible they should use pseudonymise or anonymise data to ensure public privacy. Any sensitive data not being used should be deleted as soon as possible. The guide advises that developers “test their app as much as possible, using automated tools for testing and integration, which cover not only functional tests, but also security tests like fuzz testing, vulnerability scanning, code quality checks, (static and dynamic) code analysis tools, source code scanning for libraries and developed code.”
The EC suggests that member states stage bi-weekly meetings and, by June, deliver a standard that can help authorities to plan exit strategies.